Reversing.AC - The way to stay under radars

CSPL.ru Anti-Cheat Analysis

Sat, 18 Jan 2020 04:59:00 +0000

Hello,

Today we’ll talk about CSPL.ru Anti-Cheat named as “AAC” which means “Apofig Anti-Cheat”. Apofig is previous name of this Russian League.

AAC is mostly user-mode anti-cheat but they have kernel mode module too. Previously, when AAC was only user-mode Anti-Cheat in 2012 or around this, they managed to detect Organner via going through all files of player system and looking for ‘config.cfg’ and launcher of Organner. Similar to what Valve did to detect Organner. They was looking for USN Journal and searching for config.cfg and was reading first 2 lines which contained something like ‘Organner.pl Immunity Duo Config File’ and locating of config file to find launcher of organner near of config.

What they do?:

Collect running processes
Collect running modules in processes
Collet names of windows
Enumerating of running drivers
Walking through prefetch and USN Journal
Walking through system and hashing files
Screenshots via GDI for Desktop screenshots and DirectX for In-Game screenshots.
Protect process via Kernel Callbacks

The four main entities of Anti-Cheat are:

1: AAC.exe is launcher which connects with CSPL.ru aac.cspl.ru:8008/login (for some reason, they creating log about connection with site. Can be found there C:\senderr.txt)

Example of log:

17/1/2020 17:20:2 Starting AAC
17/1/2020 17:20:4 Send ok! CSPLOK. ID = 1
17/1/2020 17:20:18 Send ok! CSPLOK. ID = 1
17/1/2020 17:20:29 Send ok! CSPLOK. ID = 1
17/1/2020 17:20:44 Send ok! CSPLOK. ID = 1
17/1/2020 17:20:55 Send ok! CSPLOK. ID = 1

AAC.exe does loading driver usbhubmswg.sys which installs Callbacks.

usbhubmswg.sys using certificate with name ‘Kazakevich Aleh’ and if you’ll google this name then you’ll end up there [0]. This is how they hashing files of system.

AAC.exe does injection of aacdx.dll and d3dx10_43.dll in to game.

AAC.exe collecting running processes in system, there a example structure of single process:

struct {
  std::string windows_caption;
  std::string command_line;
  std::string local_path;
  DWORD hash;
  std::uint8_t file_size;
  std::string caption;
  dlls_stuct dlls;
  DWORD hash2;
} process_struct;

AAC.exe collecting running dlls in the process, there a example structure:

struct {
  std::string local_path;
  DWORD hash;
  std::string caption;
} dlls_struct;

2: usbhubmswg.sys installing CreateProcess, LoadImage, CreateThread, ObProccess(PreCall), ObProcess(PostCall), ObThread(PreCall), ObThread(PostCall) to protect game from injection and etc.

Driver is protected via VMProtect.

Non-finished yet.

3: aacdx.dll does VEH Hook on something?

Non-finished yet.

4: Screenshot Cleaner - Proof of Concept

Non-finished yet.

5: HWID Information.

There a structure which contains current user HWID Data (Notice: Its not complete reversed yet.)

struct {
  std::string UserName;
  std::uint8_t WinVer;
  std::uint8_t OSbit;
  std::uint8_t WinVer;
  std::string VideoCard;
  std::string DiskVolInfo; /// Disk Volume Info
  std::uint8_t HDD_Type;
  std::string HDD_Name;
  std::uint8_t HDD_RevNo; /// Revision Number
  std::uint8_t HDD_SN;   /// Serial Number
} HWID_Data;

Credits

# https://github.com/fwx
# https://github.com/getjump

Lost Ark Unexpected Data Mining

Fri, 17 Jan 2020 09:20:00 +0000

Yay its my first post and this is my first time reversing or hacking in Unreal Engine.

Today, I’ll talk little bit about how game reversing lead me to new upcoming recently announced classes [0]. (Notice: They only just announced them, so there is no actual information about them).

Right now I’m working on a bot for Lost Ark. The main reason is to get an advantage in PvP and not waste any time on routine jobs like getting resources for healing potions.

The bot should go through the level and collect all the possible obtainable resources. (We define it via a menu, which resources are needed)

But I’ve run into a problem. I can’t get the names of the entities on the level.

They have names defined by the engine, like: “EFSkeletalMeshActor” + ID of the entity of the class on the current level. So, the final result is; for example are “EFSkeletalMeshActor_1” but it could be Mining/Lumbering/Herbalism resources.

We can’t handle gathering resources with the bot because it can’t distinguish the real names of resources.

This is how they look in game:

So, I’ve started to reverse it and trying to find their category or something that can help me.

I’ve found some interesting things for the upcoming update.

There is data in the game which is responsible for players class division [1] and their sub-classes.

(This enum is deprecated for some reason, real enum [2] is much bigger and contains pre-defined types for future new sub-classes like: PLAYER_CLASS_SPECIALIST600 = 600)

// Enum EFGame.EFConst.PlayerClassDeprecated
enum class EPlayerClassDeprecated : uint8_t
{
	PLAYER_CLASS_DEPRECATED_NA     = 0,
	PLAYER_CLASS_DEPRECATED_WARRIOR = 1,
	PLAYER_CLASS_DEPRECATED_MAGICIAN = 2,
	PLAYER_CLASS_DEPRECATED_FIGHTER = 3,
	PLAYER_CLASS_DEPRECATED_DELAIN = 4,
	PLAYER_CLASS_DEPRECATED_HUNTER = 5,
	PLAYER_CLASS_DEPRECATED_SPECIALIST = 6,
	PLAYER_CLASS_DEPRECATED_BERSERKER = 7,
	PLAYER_CLASS_DEPRECATED_DESTROYER = 8,
	PLAYER_CLASS_DEPRECATED_WARLORD = 9,
	PLAYER_CLASS_DEPRECATED_ARCANA = 10,
	PLAYER_CLASS_DEPRECATED_SUMMONER = 11,
	PLAYER_CLASS_DEPRECATED_BARD   = 12,
	PLAYER_CLASS_DEPRECATED_BATTLE_MASTER = 13,
	PLAYER_CLASS_DEPRECATED_INFIGHTER = 14,
	PLAYER_CLASS_DEPRECATED_FORCE_MASTER = 15,
	PLAYER_CLASS_DEPRECATED_BLADE  = 16,
	PLAYER_CLASS_DEPRECATED_DEMONIC = 17,
	PLAYER_CLASS_DEPRECATED_REAPER = 18,
	PLAYER_CLASS_DEPRECATED_HAWK_EYE = 19,
	PLAYER_CLASS_DEPRECATED_DEVIL_HUNTER = 20,
	PLAYER_CLASS_DEPRECATED_BLASTER = 21,
	PLAYER_CLASS_DEPRECATED_ASTROLOGER = 22,
	PLAYER_CLASS_DEPRECATED_MUSICIAN = 23,
	PLAYER_CLASS_DEPRECATED_ALCHEMIST = 24,
	PLAYER_CLASS_DEPRECATED_SCOUTER = 25,
	PLAYER_CLASS_DEPRECATED_LANCE_MASTER = 26,
	PLAYER_CLASS_DEPRECATED_HOLYKNIGHT = 27,
	PLAYER_CLASS_DEPRECATED_MAX    = 28
};

If you’ve played the game at least once then you know that this enum contains more than we get in-game.

So, what does it actually show us?

That there are un-released classes like Specialist which contain these sub-classes:

PLAYER_CLASS_SPECIALIST        = 601,
PLAYER_CLASS_ASTROLOGER        = 602,
PLAYER_CLASS_MUSICIAN          = 603,
PLAYER_CLASS_ALCHEMIST         = 604,

Also, I’m reversing the CIS region’s version of the game (Its approx. 1 year behind the Korean region’s game version), so it doesn’t have new warrior sub-class Holy-Knight or new class called Assassin but the engine contains data for them because they are surely going to be added in the future.

So, what else we can see?

The Hunter class is going to get a new sub-class named ‘Scouter’.

PLAYER_CLASS_HUNTER            = 501,
PLAYER_CLASS_HAWK_EYE          = 502,
PLAYER_CLASS_DEVIL_HUNTER      = 503,
PLAYER_CLASS_BLASTER           = 504,
PLAYER_CLASS_SCOUTER           = 505,

The Assassin class is named “Delain” in the engine and also contains an un-released sub-class named ‘Reaper’.

PLAYER_CLASS_DELAIN            = 401,
PLAYER_CLASS_BLADE             = 402,
PLAYER_CLASS_DEMONIC           = 403,
PLAYER_CLASS_REAPER            = 404,

Original post [3] was by me on UC but I decided to post it here too, also describing how I found these things.

I know its nothing “big” but it was interesting to find something like this.

If you want to learn more about the game engine for finding anything else interesting then here is a link [4] to a dump of the Game Engine.

Well, I don’t know how to end this post but here is my method for obtaining the un-released data from the game engine.

Thanks for reading!

Credits

# https://github.com/realrespecter (Korea SDK Dump)
# KN4CK3R (UnrealEngine SDK Dumper)
# TheFeckless (Tutorial on reversing Unreal Engine)